Students Assess Network Security of Over 20 Companies

Do you ever wonder how secure your Venmo app is? Or whether your information is at risk each time you use Uber?

Luckily for us, Sharon Goldberg – a Hariri Institute Fellow, CS Associate Professor, and international expert on cybersecurity – does. Through her “Network Security” course, she is ensuring BU students of all levels (undergraduate seniors, masters, and PhD students) are pushing the frontier of applied cryptography, web security, and network protocol security. CS 558 is an introduction to network security course in which student teams audit the security of popular websites. Students review how sites use encryption, how they track visitors through the use of cookies, and the procedures they use to keep user information private and secure.

Nearly 100 students enrolled in the course this past semester and assessed a variety of companies, including eBay, Pinterest, Reddit, AT&T, and Groupon, to provide comprehensive evaluations of their online security protocols.

Shahrez Jan, Austin Small, Scarleth Estevez, and Mike Winters chose to evaluate Uber. While providing a note of caution regarding the company’s hiring practices, students asserted that the mobile app and website are using standard and sufficient security measures to protect user and driver information. Additionally, in reviving the company’s privacy policies, the students felt confident that Uber continues to place the privacy of community members at the forefront of their business practices.

Benny Guan, Jeraldine Guerrero, Hanson Duan, and Ines Kim reviewed Venmo, the popular payment sharing app. The team verified that users’ information and funds are secure within the network system. However, they identified potential issues with functionality and transaction guarantees due to the multi-day lag between Venmo’s initial request to a user’s bank and when hard funds are deposited into the user’s Venmo account. The team also realized that it’s relatively easy for bad actors to impersonate users by identifying their friend circles, which are public, and potentially charging other users fraudulently.

Constantine Sparakis & John Reidy present their assessment of SoundCloud.

Some students even found vulnerabilities in the sites they audited. Following the standard “responsible disclosure” guidelines for researchers who uncover software vulnerabilities, students worked with Professor Goldberg to reach out to affected companies and alert them to potential security risks.